mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
2c86496728
* new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos * add EnsurePodProbesDifferent * add DisallowSecrets policy * add AddDefaultLabels policy * typo
66 lines
No EOL
2.4 KiB
YAML
66 lines
No EOL
2.4 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: validate-probes
|
|
annotations:
|
|
# Only applies to pods originating from DaemonSet, Deployment, or StatefulSet.
|
|
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
|
|
spec:
|
|
validationFailureAction: enforce
|
|
background: false
|
|
rules:
|
|
# Checks the first container in a Pod.
|
|
- name: validate-probes-c0
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Liveness and readiness probes cannot be the same."
|
|
# A `deny` rule is different in structure than a `validate` rule and inverts the check. It uses `conditions` written in JMESPath notation upon which to base its decisions.
|
|
deny:
|
|
conditions:
|
|
# In this condition, it checks the entire map structure of the `readinessProbe` against that of the `livenessProbe`. If both are found to be equal, the Pod creation
|
|
# request will be denied.
|
|
- key: "{{ request.object.spec.containers[0].readinessProbe }}"
|
|
operator: Equals
|
|
value: "{{ request.object.spec.containers[0].livenessProbe }}"
|
|
# Checks the second container in a Pod.
|
|
- name: validate-probes-c1
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Liveness and readiness probes cannot be the same."
|
|
deny:
|
|
conditions:
|
|
- key: "{{ request.object.spec.containers[1].readinessProbe }}"
|
|
operator: Equals
|
|
value: "{{ request.object.spec.containers[1].livenessProbe }}"
|
|
# Checks the third container in a Pod.
|
|
- name: validate-probes-c2
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Liveness and readiness probes cannot be the same."
|
|
deny:
|
|
conditions:
|
|
- key: "{{ request.object.spec.containers[2].readinessProbe }}"
|
|
operator: Equals
|
|
value: "{{ request.object.spec.containers[2].livenessProbe }}"
|
|
# Checks the fourth container in a Pod.
|
|
- name: validate-probes-c3
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Liveness and readiness probes cannot be the same."
|
|
deny:
|
|
conditions:
|
|
- key: "{{ request.object.spec.containers[3].readinessProbe }}"
|
|
operator: Equals
|
|
value: "{{ request.object.spec.containers[3].livenessProbe }}" |